Ensure that your app-tier EC2 instances are using IAM roles to grant the necessary permissions (following the principle of least privilege) to the applications running on these instances. This conformity rule assumes that all AWS resources provisioned in your app tier are tagged with <app_tier_tag>:<app_tier_tag_value>, where <app_tier_tag> is the tag name and <app_tier_tag_value> the tag value. Prior to running this rule by the Cloud Conformity engine, the app-tier tags must be known and configured in the rule settings, on your Cloud Conformity account dashboard.
This rule can help you with the following compliance standards:
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Applications that run on EC2 instances need credentials in order to access other AWS services. An IAM role associated with an app-tier instance dynamically provides these authentication credentials. Multiple benefits are gained when your applications are using IAM roles to sign their API requests with AWS credentials. For example, you don't have to manage credentials anymore as the authorization details provided by the IAM roles are temporary and rotated automatically for you. You can use a single role for multiple EC2 instances within your app tier, manage the role access permissions in one place and allow these to propagate automatically to all associated instances. And you can also restrict which role an IAM user can attach to an app-tier EC2 instance during the launch process in order to stop the user from trying to gain elevated privileges.
Note: Make sure that you replace all <web_tier_tag>:<web_tier_tag_value> tag placeholders found in the conformity rule content with your own tag name and value created for the web tier.
To determine if your app-tier EC2 instances are using IAM roles to sign AWS API requests, perform the following actions:
Remediation / Resolution
To attach IAM roles to your running app-tier EC2 instances, you need to re-launch those instances and associate them with the required IAM roles. To create the necessary IAM roles (also known as instance profiles) and attach them to your EC2 instances during the launch process, perform the following actions:
- AWS Documentation
- Amazon EC2 FAQs
- Using IAM Roles
- Using an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances
- Using Instance Profiles
- Roll EC2 Full Access
- Temporary Security Credentials
- Permissions for the IAM Role Assigned to AWS Config
- Elastic IP Addresses
- CIS Amazon Web Services Foundations
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
App-Tier EC2 Instance Using IAM Roles
Risk level: Medium